import pymysql


def main():
    # 创建连接对象
    conn = pymysql.connect(user='root', password='cnp200@HW', database='itcast')
    # 获取游标对象
    curs = conn.cursor()

    name = input("请输入您要查询的学生姓名：")

    # 不安全的方式: SQL注入 (' or 1 or ')
    # sql = f"select * from students where name='{name}';"

    # 安全的方式: SQL语句参数化来防止SQL注入
    sql = "select * from students where name = %s"
    curs.execute(sql, (name,))
    for record in curs.fetchall():
        print(record)

    # 关闭游标和连接
    curs.close()
    conn.close()


if __name__ == '__main__':
    main()
